On Mon, Aug 15, 2016 at 02:52:46PM +0200, Petr Spacek wrote:
> On 2.8.2016 05:57, Fraser Tweedale wrote:
> >> > Hah! This is what I get for thinking I know what the output has to look
> >> > like, and not testing all the way through to requesting the cert. I'll
> >> > change the profile to generate a subject with CN= instead of UID=.
> >> > Updated
> >> > patch is attached. Unfortunately these rules are only updated at
> >> > ipa-server-install time, so if you'd like to fix it without reinstalling:
> >> >
> > (Tangential commentary...) Yeah, currently cert-request demands the
> > CN. There is a design to relax the requirement to handle empty
> > subject names (look at SAN only). IMO it would make sense to accept
> > other "obvious" mappings in Subject DN like accepting UID instead of
> > CN for user subjects, but that would be a separate RFE. Noone has
> > actually asked for it yet :)
> I thought that subject format is enforced by certificate profile on server.
> Am I wrong?
You are right - what I suggested above would (today) require a
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code